This article is produced by scandiweb

scandiweb is the most certified Adobe Commerce (Magento) team globally, being a long-term official Adobe partner specializing in Commerce in EMEA and the Americas. eCommerce has been our core expertise for 20+ years.

Case Study: How to Ensure GDPR Compliance with Server-Side Tagging

GDPR can be a tricky subject. Often the guidelines are hard to understand or are misinterpreted, resulting in a site with a vague understanding of how to be GDPR compliant getting into legal trouble. 

For example, the user sees a banner about data collection with one button on it that simply closes the notice banner but does nothing beyond that to ensure they have a choice in the matter of how their data is collected and processed. This can end up in legal action being taken against the site owner when things go awry and user identities are compromised—most of the time, due to a data breach.

What is GDPR?

GDPR or CCPA compliance is a set of guidelines that site owners have to do their best to comply with to minimize losses in a worst-case scenario. It’s like having sprinklers, fire extinguishers, and fire exits in a building won’t prevent a fire from ever occurring, but it will ensure the disaster is dealt with accordingly before it gets out of hand.

At the heart and center of GDPR compliance is the humble cookie—a small bundle of information set by various 3rd party vendors and stored on the user’s browser. Cookie management platforms such as OneTrust, Amasty, and CookieBot are tools that allow site owners to display a banner notice and provide options for users to either accept or decline certain categories of cookies. 

The expected outcome is the user coming to your site and seeing a banner that informs them about the site’s cookies and what the collected data is used for. No analytics, marketing, or social media cookies are set and no data is collected (unless it is done in a cookie-less way) until the user has consented. This is the part most site owners forget or don’t know needs to be done. You have to respect the users’ choice and restrict cookies and the collected data.

The price, as you might have surmised, is loss of data. When a user comes to the site for the first time, no data is collected until the user interacts with the banner. 

Note! For GDPR, all tracking is disabled by default. For CCPA, it is the opposite.

In many cases, the user rejects the cookies, and no event data is collected, including purchases. This results in a large gap in data analysis, as the percentage of missing orders, when compared to the ERP system, can exceed even 15%. 

The more truthful data you collect, the sharper your analytics image becomes, which you can use for informed BI decision-making. The goal is to remain GDPR compliant while collecting as much data as possible. 

What does the future of data tracking and privacy look like? Watch our webinar where we explore various tracking tools, the rise of countermeasures to prevent tracking, the current landscape of eCommerce tracking, and where the industry is headed.

How to ensure GDPR compliance?


The percentage of missing orders needs to be reduced to as low as 5% while remaining GDPR compliant.

Solution: server-side tagging

To achieve this for one of our clients, the scandiweb Analytics team used server-side tagging as the solution. Server-side tagging has many benefits. It is a first-party proxy endpoint that receives data from the site before being passed to Google Analytics, Facebook, etc. 

If a user comes to and places an order, that order data will be sent to, where the server-side container is located. Once the data is received, it can be cleaned and then passed on. 

This is a technique that allows you to bypass GDPR-imposed restrictions while remaining compliant. It allows for IP anonymization (the IP received will be that of, not the user’s) and reporting data to Google Analytics without the use of cookies because no direct connection is established between the user’s browser and Google Analytics servers. 

If you want to collect data the right way, utilize server-side tagging so that event data is still collected and sent to the appropriate destinations. 


You’ll end up with this scenario each time. The user comes to the site and rejects cookies. Tags in GTM still fire and report data to the server-side endpoint, but no cookie is set. The data then ends up in the server-side container, which passes it to a Google Analytics property.

Was this article helpful in ensuring you’re GDPR compliant? Need help with your analytics setup? Drop our Analytics team a message at [email protected] or contact us using the orange chat bubble to your right!

Need help with your eCommerce?

Get in touch for a free consultation to discuss your business and explore how we can help.

Your request will be processed by

If you enjoyed this post, you may also like